IronCore Labs Cloaked Search encrypts sensitive data before it goes to the search service
IronCore Labs launched Cloaked Search, a drop-in encrypted search solution to protect sensitive data held in existing search services, and a partnership with OpenSearch, a community-driven, open-source search service.
“Encrypting data is the best way to protect data from ransomware, hackers, and curious administrators,” said Patrick Walsh, CEO of IronCore Labs. “With Cloaked Search, you can now expand your vital data security measures to cover the data in your search service using encryption you can actually search on.”
How Cloaked Search works
Cloaked Search by IronCore Labs is a transparent encryption proxy, which means that it encrypts sensitive data before it goes to the search service and decrypts search results as they flow back from the search service. Anyone looking at the stored search data and the search indices who doesn’t have the proper key will only see random bytes instead of meaningful information.
Protecting multi-tenant customer data
With native support for modern cloud applications, Cloaked Search includes features that allow separate master keys to protect different segments of data. This allows multi-tenant architectures to virtually isolate customer data and to eliminate any risk of accidentally leaking data between customers. Cloaked Search works out of the box with OpenSearch and Elasticsearch. It also works with managed services that are built on top of OpenSearch or Elasticsearch.
Getting started
To use Cloaked Search, developers simply point their code to the proxy instead of the search service. Rankings and results operate much the same as before. When indexing or searching documents, the proxy will automatically encrypt the documents and queries as needed.
Cloaked Search features
- Easy-to-use no-code approach allows for quick setup.
- Encrypted search that integrates with an existing search system.
- Supports wildcard searches, phrase searches, complex queries, phonetic matches, field boosting, and more.
- Multi-key support allows inexpensive segmentation of data, virtual isolation of the data segments, and protection against search injection attacks.
- Selective protection allows admins to choose which fields to secure, while other fields pass through as normal. Admins can increase the number of fields protected over time.
- Integrates with IronCore Labs’ SaaS Shield product so SaaS customers can hold and manage their own encryption keys while getting full audit trails for all access to their data. SaaS applications can charge a premium for this Bring Your Own Key (BYOK) or Customer Managed Keys (CMK) functionality.
- Simple deployment options integrate well with kubernetes and other cloud orchestration.
- Self-trial means anyone can try it by downloading and running a docker container locally.
Partnership with OpenSearch
IronCore Labs is an official partner of OpenSearch, bringing strong data security functionalities to the entire OpenSearch community.
“We’re proud to partner with OpenSearch to extend the broader OpenSearch ecosystem with application-layer encryption and encrypted search,” said Riah Solomon, Marketing Director at IronCore Labs. “Our approach with Cloaked Search puts control of sensitive data into the hands of its rightful owners.”
The importance of Cloaked Search
“Cloaked Search plugs a critical hole in the market and in most organizations’ layered defense strategy,” Walsh said. “Before now, protecting data meant encrypting it, and encrypting it meant making it hard to find and use. With Cloaked Search, organizations can encrypt their data without sacrificing functionality.”
In the broader context, laws like GDPR and CCPA mandate that the private data of consumers be well protected. GDPR requires both secure processing and security by design, which generally means encryption of personal data. When user data is encrypted at a higher layer, hackers who gain access to servers and systems will only see random bytes. Without access to the keys, those random bytes are useless to the attackers. And if no unencrypted personal information was accessed, then there is no obligation to publicly disclose the incident.
Today, search services are typically encrypted only at the lowest level with transparent disk encryption. This approach blocks data theft when hard drives are stolen but does not protect data on a running machine.
Cloaked Search brings meaningful data protection to search indices by making the search services blind to the data they hold.